nginx: src/http/ngx_http_request.c comparison

comparison src/http/ngx_http_request.c @ 7367:bf1ac3dc1e68

SSL: fixed segfault on renegotiation (ticket #1646). In e3ba4026c02d (1.15.4) nginx own renegotiation checks were disabled if SSL_OP_NO_RENEGOTIATION is available. But since SSL_OP_NO_RENEGOTIATION is only set on a connection, not in an SSL context, SSL_clear_option() removed it as long as a matching virtual server was found. This resulted in a segmentation fault similar to the one fixed in a6902a941279 (1.9.8), affecting nginx built with OpenSSL 1.1.0h or higher. To fix this, SSL_OP_NO_RENEGOTIATION is now explicitly set in ngx_http_ssl_servername() after adjusting options. Additionally, instead of c->ssl->renegotiation we now check c->ssl->handshaked, which seems to be a more correct flag to test, and will prevent the segmentation fault from happening even if SSL_OP_NO_RENEGOTIATION is not working.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Tue, 02 Oct 2018 17:46:18 +0300
parents	1812f1d79d84
children	0f0c75caa038

comparison

equal deleted inserted replaced

-:7bf3c323cb6e
+:bf1ac3dc1e68
 return SSL_TLSEXT_ERR_NOACK;
 }
 c = ngx_ssl_get_connection(ssl_conn);
-if (c->ssl->renegotiation) {
+if (c->ssl->handshaked) {
 return SSL_TLSEXT_ERR_NOACK;
 }
 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
 "SSL server name: \"%s\"", servername);
 SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) &
 ~SSL_CTX_get_options(sscf->ssl.ctx));
 #endif
 SSL_set_options(ssl_conn, SSL_CTX_get_options(sscf->ssl.ctx));
+#ifdef SSL_OP_NO_RENEGOTIATION
+SSL_set_options(ssl_conn, SSL_OP_NO_RENEGOTIATION);
+#endif
 }
 return SSL_TLSEXT_ERR_OK;
 }

Mercurial > hg > nginx

comparison src/http/ngx_http_request.c @ 7367:bf1ac3dc1e68